From fe117dc1d93faca60525f0a1bf3c0ce53ac3ca6c Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Wed, 27 Sep 2023 16:04:15 +0200
Subject: [PATCH] ci-automation: Switch to managed identity on azure

Switch to using a managed identity instead of file based credentials for
running kola/ore (not plume). This covers our test subscription, but not our
publishing subscription.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 ci-automation/garbage_collect_cloud.sh | 13 +------------
 ci-automation/vendor-testing/azure.sh  |  8 +-------
 2 files changed, 2 insertions(+), 19 deletions(-)

diff --git a/ci-automation/garbage_collect_cloud.sh b/ci-automation/garbage_collect_cloud.sh
index 034edd83b0..043e10efe7 100755
--- a/ci-automation/garbage_collect_cloud.sh
+++ b/ci-automation/garbage_collect_cloud.sh
@@ -3,18 +3,7 @@ set -euo pipefail
 timeout --signal=SIGQUIT 60m ore aws gc --access-id "${AWS_ACCESS_KEY_ID}" --secret-key "${AWS_SECRET_ACCESS_KEY}"
 timeout --signal=SIGQUIT 60m ore do gc --config-file=<(echo "${DIGITALOCEAN_TOKEN_JSON}" | base64 --decode)
 timeout --signal=SIGQUIT 60m ore gcloud gc --json-key <(echo "${GCP_JSON_KEY}" | base64 --decode)
-# Because the Azure file gets read multiple times it can't be passed like <(cmd) because bash backs this FD
-# by a pipe meaning the data is gone after reading. We can create an FD (the FD number is assigned to
-# variable through exec {NAME}) manually and use a file under /tmp to back it instead, allowing multiple
-# reads.
-echo "${AZURE_PROFILE}" | base64 --decode > /tmp/azure_profile
-exec {azure_profile}</tmp/azure_profile
-rm /tmp/azure_profile
-echo "${AZURE_AUTH_CREDENTIALS}" | base64 --decode > /tmp/azure_auth
-exec {azure_auth}</tmp/azure_auth
-rm /tmp/azure_auth
-timeout --signal=SIGQUIT 60m ore azure gc --duration 6h \
-  --azure-profile="/proc/$$/fd/${azure_profile}" --azure-auth="/proc/$$/fd/${azure_auth}"
+timeout --signal=SIGQUIT 60m ore azure gc --duration 6h --azure-identity
 timeout --signal=SIGQUIT 60m ore equinixmetal gc --duration 6h \
   --project="${EQUINIXMETAL_PROJECT}" --gs-json-key=<(echo "${GCP_JSON_KEY}" | base64 --decode) --api-key="${EQUINIXMETAL_KEY}"
 timeout --signal=SIGQUIT 60m ore openstack gc --duration 6h \
diff --git a/ci-automation/vendor-testing/azure.sh b/ci-automation/vendor-testing/azure.sh
index ff036b303a..6fc84ff303 100755
--- a/ci-automation/vendor-testing/azure.sh
+++ b/ci-automation/vendor-testing/azure.sh
@@ -18,11 +18,6 @@ azure_instance_type_var="AZURE_${CIA_ARCH}_MACHINE_SIZE"
 azure_instance_type="${!azure_instance_type_var}"
 azure_vnet_subnet_name="jenkins-vnet-${AZURE_LOCATION}"
 
-azure_profile_config_file=''
-secret_to_file azure_profile_config_file "${AZURE_PROFILE}"
-azure_auth_config_file=''
-secret_to_file azure_auth_config_file "${AZURE_AUTH_CREDENTIALS}"
-
 # Fetch the Azure image if not present
 if [ -f "${AZURE_IMAGE_NAME}" ] ; then
     echo "++++ ${CIA_TESTSCRIPT}: Using existing ${AZURE_IMAGE_NAME} for testing ${CIA_VERNUM} (${CIA_ARCH}) ++++"
@@ -57,8 +52,7 @@ run_kola_tests() {
       --platform=azure \
       --azure-image-file="${AZURE_IMAGE_NAME}" \
       --azure-location="${AZURE_LOCATION}" \
-      --azure-profile="${azure_profile_config_file}" \
-      --azure-auth="${azure_auth_config_file}" \
+      --azure-identity \
       --torcx-manifest="${CIA_TORCX_MANIFEST}" \
       --tapfile="${instance_tapfile}" \
       --azure-size="${instance_type}" \